公开(公告)号：EP3304316A1

公开(公告)日：2018-04-11

申请号：EP16721600.1

申请日：2016-04-28

Applicant: Qualcomm Incorporated

Inventor： GUPTA, Rajarshi ,  PATNE, Satyajit Prabhakar ,  BOLLAPRAGADA, Suresh

IPC: G06F11/36

CPC classification number: G06N5/04 ,  G06F11/3604

Abstract: Systems, methods, and devices of the various aspects enable method of cross-module behavioral validation. A plurality of observer modules of a system may observe behavior or behaviors of a observed module of the system. Each of the observer modules may generate a behavior representation based on the behavior or behaviors of the observed module. Each observer module may apply the behavior representation to a behavior classifier model suitable for each observer module. The observer modules may aggregate classifications of behaviors of the observed module determined by each of the observer modules. The observer modules may determine, based on the aggregated classification, whether the observed module is behaving anomalously.

公开(公告)号：WO2016060738A1

公开(公告)日：2016-04-21

申请号：PCT/US2015/046118

申请日：2015-08-20

Applicant: QUALCOMM INCORPORATED

Inventor： GUPTA, Rajarshi ,  PATNE, Satyajit Prabhakar

IPC: H04L29/06 ,  H04W12/06 ,  H04W12/08

CPC classification number: G06F21/31 ,  G06F21/316 ,  G06F21/577 ,  G06F2221/034 ,  H04L63/08 ,  H04L63/105 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/145 ,  H04L2463/082 ,  H04W12/06 ,  H04W12/08

Abstract: A computing device processor may be configured with processor-executable instructions to implement methods of using behavioral analysis and machine learning techniques to identify, prevent, correct, and/or otherwise respond to malicious or performance-degrading behaviors of the computing device. As part of these operations, the processor may perform multifactor authentication operations that include determining one or more of a transaction type criticality value, a user confidence value, a software integrity confidence value, and a historical behavior value, using the one or more of these values to determine a number of authentication factors that are be evaluated when authenticating a user of the computing device, and authenticating the user by evaluating the determined number of authentication factors.

Abstract translation: 计算设备处理器可以配置有处理器可执行指令，以实现使用行为分析和机器学习技术来识别，防止，纠正和/或以其他方式响应计算设备的恶意或性能降级行为的方法。 作为这些操作的一部分，处理器可以执行多因素认证操作，其包括使用这些中的一个或多个来确定事务类型临界值，用户置信度值，软件完整性置信度值和历史行为值中的一个或多个 值，以确定在认证计算设备的用户时评估的认证因子的数量，以及通过评估所确定的认证因素的数量来认证用户。

公开(公告)号：WO2015200044A1

公开(公告)日：2015-12-30

申请号：PCT/US2015/035997

申请日：2015-06-16

Applicant: QUALCOMM INCORPORATED

Inventor： PATNE, Satyajit Prabhakar ,  GUPTA, Rajarshi ,  XIAO, Lu

IPC: G06F21/55

CPC classification number: H04L63/1416 ,  G06F21/556 ,  G06F2221/2125 ,  H04L63/1433

Abstract: A computing device may use machine learning techniques to determine the level, degree, and severity of its vulnerability to side channel attacks. The computing device may intelligently and selectively perform obfuscation operations (e.g., operations to raise the noise floor) to prevent side channel attacks based on the determined level, degree, or severity of its current vulnerability to such attacks. The computing device may also monitor the current level of natural obfuscation produced by the device, determining whether there is sufficient natural obfuscation to prevent a side channel attack during an ongoing critical activity, and perform the obfuscation operation during the ongoing critical activity and in response to determining that there is not sufficient natural obfuscation to adequately protect the computing device against side channel attacks.

Abstract translation: 计算设备可以使用机器学习技术来确定其侧向通道攻击的漏洞的级别，程度和严重性。 计算设备可以智能地和选择性地执行模糊操作（例如，提高噪声底层的操作），以基于其当前对这种攻击的脆弱性的确定的水平，程度或严重性来防止侧信道攻击。 计算设备还可以监视由设备产生的自然混淆的当前水平，确定在持续的关键活动期间是否存在足够的自然混淆以防止侧信道攻击，并且在正在进行的关键活动期间执行混淆操作，并响应于 确定没有足够的自然混淆来充分保护计算设备免受侧向信道攻击。

公开(公告)号：EP3161711A1

公开(公告)日：2017-05-03

申请号：EP15731800.7

申请日：2015-06-16

Applicant: Qualcomm Incorporated

Inventor： PATNE, Satyajit Prabhakar ,  GUPTA, Rajarshi ,  XIAO, Lu

IPC: G06F21/55

CPC classification number: H04L63/1416 ,  G06F21/556 ,  G06F2221/2125 ,  H04L63/1433

Abstract: A computing device may use machine learning techniques to determine the level, degree, and severity of its vulnerability to side channel attacks. The computing device may intelligently and selectively perform obfuscation operations (e.g., operations to raise the noise floor) to prevent side channel attacks based on the determined level, degree, or severity of its current vulnerability to such attacks. The computing device may also monitor the current level of natural obfuscation produced by the device, determining whether there is sufficient natural obfuscation to prevent a side channel attack during an ongoing critical activity, and perform the obfuscation operation during the ongoing critical activity and in response to determining that there is not sufficient natural obfuscation to adequately protect the computing device against side channel attacks.

Abstract translation: 计算设备可以使用机器学习技术来确定其对边信道攻击的易受攻击的程度，程度和严重程度。 计算设备可以智能地并且选择性地执行混淆操作（例如，用于提高本底噪声的操作）以基于其当前对这种攻击的脆弱性的所确定的级别，程度或严重程度来防止旁道攻击。 计算设备还可以监视由设备产生的自然迷惑的当前级别，确定是否有足够的自然迷惑来防止正在进行的关键活动期间的旁道攻击，并且在正在进行的关键活动期间执行迷惑操作，并且响应于 确定没有足够的自然混淆来充分保护计算设备免受旁道攻击。

公开(公告)号：EP3161711B1

公开(公告)日：2017-10-25

申请号：EP15731800.7

申请日：2015-06-16

Applicant: Qualcomm Incorporated

Inventor： PATNE, Satyajit Prabhakar ,  GUPTA, Rajarshi ,  XIAO, Lu

IPC: G06F21/55

CPC classification number: H04L63/1416 ,  G06F21/556 ,  G06F2221/2125 ,  H04L63/1433

公开(公告)号：WO2016137579A1

公开(公告)日：2016-09-01

申请号：PCT/US2016/012320

申请日：2016-01-06

Applicant: QUALCOMM INCORPORATED

Inventor： CHRISTODORESCU, Mihai ,  BERGAN, Charles ,  GUPTA, Rajarshi ,  PATNE, Satyajit Prabhakar ,  RAO, Sumita

IPC: G06F21/52

CPC classification number: G06F21/554 ,  G06F21/52 ,  G06F21/566

Abstract: Aspects include computing devices, systems, and methods for implementing detecting return oriented programming (ROP) attacks on a computing device. A memory traversal map for a program called to run on the computing device may be loaded. A memory access request of the program to a memory of the computing device may be monitored and a memory address of the memory from the memory access request may be retrieved. The retrieved memory address may be compared to the memory traversal map and a determination of whether the memory access request indicates a ROP attack may be made. The memory traversal map may include a next memory address adjacent to a previous memory address in the memory traversal map. A cumulative anomaly score based on mismatches between the retrieved memory address and the memory traversal map may be calculated and used to determine whether to load a finer grain memory traversal map.

Abstract translation: 方面包括用于在计算设备上实现检测返回定向编程（ROP）攻击的计算设备，系统和方法。 可以加载被称为在计算设备上运行的程序的存储器遍历映射。 可以监视程序对计算设备的存储器的存储器访问请求，并且可以检索存储器访问请求中的存储器的存储器地址。 可以将检索的存储器地址与存储器遍历映射进行比较，并且可以确定存储器访问请求是否指示ROP攻击。 存储器遍历映射可以包括与存储器遍历映射中的先前存储器地址相邻的下一个存储器地址。 可以计算基于检索的存储器地址和存储器遍历映射之间的不匹配的累积异常得分，并用于确定是否加载更精细的存储器遍历映射。

公开(公告)号：WO2015050727A1

公开(公告)日：2015-04-09

申请号：PCT/US2014/056666

申请日：2014-09-19

Applicant: QUALCOMM INCORPORATED

Inventor： SRIDHARA, Vinay ,  PATNE, Satyajit Prabhakar ,  GUPTA, Rajarshi

IPC: H04L29/06 ,  H04W12/12 ,  H04L12/24 ,  G06F21/57

CPC classification number: G06F21/55 ,  G06F9/44505 ,  G06F21/57 ,  G06F21/577 ,  H04L63/1408 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/145 ,  H04W12/12

Abstract: The various aspects include systems and methods for enabling mobile computing devices (102) to recognize when they are at risk of experiencing malicious behavior in the near future given a current configuration. Thus, the various aspects enable mobile computing devices (102) to anticipate malicious behaviors before a malicious behavior begins rather than after the malicious behavior has begun. In the various aspects, a network server (116) may receive behavior vector information from multiple mobile computing devices (102) and apply pattern recognition techniques to the received behavior vector information to identify malicious configurations and pathway configurations that may lead to identified malicious configurations. The network server (116) may inform mobile computing devices (102) of identified malicious configurations and the corresponding pathway configurations, thereby enabling mobile computing devices (102) to anticipate and prevent malicious behavior from beginning by recognizing when they have entered a pathway configuration leading to malicious behavior.

Abstract translation: 各个方面包括用于使移动计算设备（102）能够在给定当前配置的情况下识别在不久的将来遇到恶意行为的风险的系统和方法。 因此，各种方面使得移动计算设备（102）能够在恶意行为开始之前而不是恶意行为开始之后预测恶意行为。 在各个方面，网络服务器（116）可以从多个移动计算设备（102）接收行为矢量信息，并将模式识别技术应用于所接收的行为向量信息，以识别可能导致识别的恶意配置的恶意配置和路径配置。 网络服务器（116）可以向移动计算设备（102）通知所识别的恶意配置和对应的路由配置，从而使得移动计算设备（102）能够通过识别何时进入路径配置引导来预测并防止恶意行为开始 恶意行为。

公开(公告)号：WO2017014896A1

公开(公告)日：2017-01-26

申请号：PCT/US2016/038664

申请日：2016-06-22

Applicant: QUALCOMM INCORPORATED

Inventor： CHRISTODORESCU, Mihai ,  PATNE, Satyajit Prabhakar ,  RAO, Sumita ,  NAIR, Vikram

IPC: G06F21/55

CPC classification number: G06F3/0604 ,  G06F3/0653 ,  G06F3/0683 ,  G06F21/552

Abstract: Systems, methods, and devices of the various aspects enable identification of anomalous application behavior by monitoring memory accesses by an application running on a computing device. In various aspects, a level of memory access monitoring may be based on a risk level of an application running on the computing device. The risk level may be determined based on memory address accesses of the application monitored by an address monitoring unit of one or more selected memory hierarchy layers of the computing device. The memory hierarchy layers selected for monitoring for memory address accesses of the application may be based on the determined risk level of the application. Selected memory hierarchy layers may be monitored by enabling one or more address monitoring units (AMUs) associated with the selected one or more memory hierarchy layers. The enabling of selected AMUs may be accomplished by an AMU selection module.

Abstract translation: 各个方面的系统，方法和设备使得能够通过监视运行在计算设备上的应用的存储器访问来识别异常应用行为。 在各个方面，存储器访问监视的级别可以基于在计算设备上运行的应用的风险级别。 可以基于由计算设备的一个或多个所选存储器层级层的地址监视单元监视的应用的存储器地址访问来确定风险级别。 选择用于监视应用程序的存储器地址访问的存储器层级层可以基于所确定的应用程序的风险级别。 可以通过启用与所选择的一个或多个存储器层级层相关联的一个或多个地址监视单元（AMU）来监视所选存储器层级层。 选择的AMU的使能可以由AMU选择模块来实现。

公开(公告)号：WO2016195860A1

公开(公告)日：2016-12-08

申请号：PCT/US2016/029710

申请日：2016-04-28

Applicant: QUALCOMM INCORPORATED

Inventor： GUPTA, Rajarshi ,  PATNE, Satyajit Prabhakar ,  BOLLAPRAGADA, Suresh

IPC: G06F11/36

CPC classification number: G06N5/04 ,  G06F11/3604

Abstract: Systems, methods, and devices of the various aspects enable method of cross-module behavioral validation. A plurality of observer modules of a system may observe behavior or behaviors of a observed module of the system. Each of the observer modules may generate a behavior representation based on the behavior or behaviors of the observed module. Each observer module may apply the behavior representation to a behavior classifier model suitable for each observer module. The observer modules may aggregate classifications of behaviors of the observed module determined by each of the observer modules. The observer modules may determine, based on the aggregated classification, whether the observed module is behaving anomalously.

Abstract translation: 各个方面的系统，方法和设备都支持跨模块行为验证的方法。 系统的多个观察者模块可以观察系统的观察模块的行为或行为。 每个观察者模块可以基于所观察模块的行为或行为来生成行为表示。 每个观察者模块可以将行为表示应用于适合于每个观察者模块的行为分类器模型。 观察者模块可以聚合由每个观察者模块确定的观察模块的行为的分类。 观察者模块可以基于聚合分类来确定观察到的模块是否是异常行为。

公开(公告)号：WO2015050728A1

公开(公告)日：2015-04-09

申请号：PCT/US2014/056670

申请日：2014-09-19

Applicant: QUALCOMM INCORPORATED

Inventor： SRIDHARA, Vinay ,  PATNE, Satyajit Prabhakar ,  GUPTA, Rajarshi

IPC: H04L29/06 ,  H04W12/12 ,  G06F21/55 ,  G06F21/56

CPC classification number: G06F21/55 ,  G06F9/30145 ,  G06F9/3861 ,  G06F11/3612 ,  G06F21/125 ,  G06F21/52 ,  G06F21/54 ,  G06F21/566 ,  G06F21/577 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/145 ,  H04W12/12

Abstract: The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device (102) before it occurs by monitoring and modifying instructions pending in the mobile computing device's hardware pipeline (404) (i.e., queued instructions). In the various aspects, a mobile computing device (102) may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device's current configuration. When the mobile computing device (102) determines that executing the queued instructions will result in a malicious configuration, the mobile computing device (102) may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed.

Abstract translation: 各种方面提供了一种用于在通过监视和修改在移动计算设备的硬件流水线（404）中挂起的指令（即，排队的指令）的指令发生之前，在移动计算设备（102）上识别和防止恶意行为的方法。 在各个方面，移动计算设备（102）可以优先地确定在给定移动计算设备的当前配置的情况下，是否执行一组排队的指令将导致恶意配置。 当移动计算设备（102）确定执行排队的指令将导致恶意配置时，移动计算设备（102）可以在排队的指令被执行之前停止执行排队的指令或采取其他动作来抢占恶意行为 。